Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

NordVPNSetup.exe

windows7-x64

8

NordVPNSetup.exe

windows10-2004-x64

7

Resubmissions

15/05/2023, 19:47 UTC

230515-yhplyaff21 8

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2023, 19:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NordVPNSetup.exe

  • Size

    1.7MB

  • MD5

    59cb69a08fdd9cb4b0539e3356df1d4d

  • SHA1

    0c773a0a76f821780c002d527bee387b98904569

  • SHA256

    bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

  • SHA512

    51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2

  • SSDEEP

    24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\is-NDN0K.tmp\NordVPNSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NDN0K.tmp\NordVPNSetup.tmp" /SL5="$80044,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.nordvpn.com
    NordVPNSetup.tmp
    Remote address:
    8.8.8.8:53
    Request
    api.nordvpn.com
    IN A
    Response
    api.nordvpn.com
    IN A
    104.17.49.74
    api.nordvpn.com
    IN A
    104.17.50.74
  • flag-us
    GET
    https://api.nordvpn.com/v1/helpers/ips/insights
    NordVPNSetup.tmp
    Remote address:
    104.17.49.74:443
    Request
    GET /v1/helpers/ips/insights HTTP/1.1
    User-Agent: Nord.Setup/1.0.0.0
    Host: api.nordvpn.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 15 May 2023 19:47:51 GMT
    Content-Type: application/json;charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Accept-Before: 1684223271
    X-Authorization: key-id="rsa-key-1",algorithm="rsa-sha256"
    X-Digest: 2dc9ba06fb3c38662d9561237894a443f5025ef7e9640dad27e5219d232b6f86
    X-Signature: Me5AEPVj5liao3qK/UIh80Vc9U0qyVUfd0IQpDg7uFoEhUE6/YLzvmoEwb6EcURYgLrEeAaN5mhEChn4KClxE4DuFVVkTbpXAspy+VNumJRd5aaUBprftrMj1pN/rFwVrzeswwzIoQNUTZFXQSOv8rEbpSAbu0/Jeyg2/GMRSS5YoVYD5MtUxnM8PxMqVUP3MTsmQWHulpYHTU9dTa2jgz84hX3/pXVdC9nNUjYyX6Sv1AL5LrEw2HYwwIDgBrefm/qdqo1zBCMddST19dTlfE+hHJzemf4EjI/42AAvR/3II/D1TQkmA0ej9R2/7DCone6z1Fb5YbCd62FMLgL0bn5VTPNoMplYqtj/8sTN6OCeDhuFToexEXW2qefy6d3VYzs0ruLYzfW/4J5AKttZFdr/pvgmU/7tVtZbsNQtpHPTLdUf6Al3g6P8hAHDGqwoduEuLAWljbKuhhrq1OQtKn8FM90/6GpXB1y6qiFv4IZBGgsu7as/yfzr8iYm1pJvxsBCTMPqOc8oRJNmUQHmOgAPNl1em+SDGb3dzZvoSvjt2POrU7vqF1JDSG1hyIhy6A69gmm7CaIBPzZuy5IZjX4nLnmx1gzYPXGdh3Ug/pfFeE/OD2/hOHyH6BCphaqkRksW6DuXv0YJPFxTTx+CmO3TaKfaXQtOaFe7iwxYCWg=
    X-Host-Signature: YZF03U9L4u65W6U8bZVWu1+xaxhzkaFVjkcCPCYPlBJhRLy2NHEN0dI/Htqli9N7L2y3fAaS5/MnGS5oT+1ii2/63JPkVV/RQFrdKGBiXepOy9LeK1nOkKLSnz0Y6Ar/8lIGqjODSZag5onn8tODedhywm8Ykq6ERcvtpBjjD+XzOOTnnTcQW4Fae4KM0bOF/8UTOzEveQsobw8+3AOykEd8bDg7Bf2OzJuzzy+crZV76se0tW9l7JZxiPNyqWK8VBbWrtlOwfUxMnObe2dettZk5HKS+z4KUUmJqtFbvys8cxDpWeNGj0WZesaaRHhZFp+x/HOGfDqkjd2UjM8OerZxEeolAzei/flsjTf9xdPzubZuXFcayyUbUNz+qwpRNZAY0jSIRBNKuP2dzilqs2+Dc2LwcWVycLjCasdJF7WRRFWEYF+YEHGLyJoWY/pFjZ7XrZ6AtkMWQW63xj6QxYiiCYQxbcCymrFCGo6aoDiKHlhTnIE0hjsv/9eSby3VO9IaQTcgiIsGCpAUyTmb9Ex6anvZdctElfDFlQs/gTMwGNH2IJEkkxDq/NrM2QYOhvnqA2A/kjE0Xm0A6B/jWKd2R01nTweQGWEtV5FXSs+DV84fRayVy1MqYBbZKogc0EVV8SkXRvzuZnsXM5nq9MZzH5e5EdlrzmcH38R06KE=
    CF-Cache-Status: DYNAMIC
    Set-Cookie: __cf_bm=gGD80R7cL2p3Aa7f0oZjcTgbm_hkpayUDZO3shv6hps-1684180071-0-AaeEhUlxf+rdvLjMILpgChJLqeomnioKJgWXTTOZgG6yEH+0Tg1cJfJHSZmgWX4keRsDr00tH/MWWmyYLV93aQ0=; path=/; expires=Mon, 15-May-23 20:17:51 GMT; domain=.nordvpn.com; HttpOnly; Secure; SameSite=None
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 7c7de52669200e78-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    applytics.zwyr157wwiu6eior.com
    NordVPNSetup.tmp
    Remote address:
    8.8.8.8:53
    Request
    applytics.zwyr157wwiu6eior.com
    IN A
    Response
    applytics.zwyr157wwiu6eior.com
    IN A
    104.18.227.44
    applytics.zwyr157wwiu6eior.com
    IN A
    104.18.226.44
  • flag-us
    POST
    https://applytics.zwyr157wwiu6eior.com/appevent
    NordVPNSetup.tmp
    Remote address:
    104.18.227.44:443
    Request
    POST /appevent HTTP/1.1
    User-Agent: Nord.Setup/1.0.0.0
    Content-Type: application/x-www-form-urlencoded
    Host: applytics.zwyr157wwiu6eior.com
    Content-Length: 154
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 15 May 2023 19:47:51 GMT
    Content-Length: 0
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 7c7de528eb6b0e87-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    74.49.17.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.49.17.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    44.227.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    44.227.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    62.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    62.13.109.52.in-addr.arpa
    IN PTR
    Response
  • 104.17.49.74:443
    https://api.nordvpn.com/v1/helpers/ips/insights
    tls, http
    NordVPNSetup.tmp
    959 B
     7.0kB
     12
    13

    HTTP Request

    GET https://api.nordvpn.com/v1/helpers/ips/insights

    HTTP Response

    200
  • 104.18.227.44:443
    https://applytics.zwyr157wwiu6eior.com/appevent
    tls, http
    NordVPNSetup.tmp
    1.2kB
     3.6kB
     10
    9

    HTTP Request

    POST https://applytics.zwyr157wwiu6eior.com/appevent

    HTTP Response

    200
  • 52.152.110.14:443
    260 B
     5
  • 13.69.239.73:443
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 52.152.110.14:443
    260 B
     5
  • 209.197.3.8:80
    322 B
     7
  • 52.152.110.14:443
    260 B
     5
  • 52.152.110.14:443
    260 B
     5
  • 52.152.110.14:443
    260 B
     5
  • 52.152.110.14:443
    260 B
     5
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    api.nordvpn.com
    dns
    NordVPNSetup.tmp
    61 B
     93 B
     1
    1

    DNS Request

    api.nordvpn.com

    DNS Response

    104.17.49.74
    104.17.50.74

  • 8.8.8.8:53
    applytics.zwyr157wwiu6eior.com
    dns
    NordVPNSetup.tmp
    76 B
     108 B
     1
    1

    DNS Request

    applytics.zwyr157wwiu6eior.com

    DNS Response

    104.18.227.44
    104.18.226.44

  • 8.8.8.8:53
    74.49.17.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    74.49.17.104.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    44.227.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    44.227.18.104.in-addr.arpa

  • 8.8.8.8:53
    62.13.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    62.13.109.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-DN2M6.tmp\Nord.Setup.dll
    Filesize

    40KB

    MD5

    b18bd486c5718397bc65d77a16ce2593

    SHA1

    58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

    SHA256

    0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

    SHA512

    f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-DN2M6.tmp\Nord.Setup.dll
    Filesize

    40KB

    MD5

    b18bd486c5718397bc65d77a16ce2593

    SHA1

    58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

    SHA256

    0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

    SHA512

    f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-DN2M6.tmp\Nord.Setup.dll
    Filesize

    40KB

    MD5

    b18bd486c5718397bc65d77a16ce2593

    SHA1

    58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

    SHA256

    0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

    SHA512

    f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-DN2M6.tmp\Nord.Setup.dll
    Filesize

    40KB

    MD5

    b18bd486c5718397bc65d77a16ce2593

    SHA1

    58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

    SHA256

    0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

    SHA512

    f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-NDN0K.tmp\NordVPNSetup.tmp
    Filesize

    3.1MB

    MD5

    29ca787f3a0d83846b7318d02fccb583

    SHA1

    b3688c01bef0e9f1fe62dc831926df3ca92b3778

    SHA256

    746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

    SHA512

    a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

    Download Submit

  • memory/2028-157-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2028-133-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2568-154-0x0000000000910000-0x0000000000911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-155-0x0000000003780000-0x0000000003790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2568-156-0x0000000007B70000-0x000000000809C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2568-153-0x0000000074060000-0x0000000074070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2568-158-0x0000000000400000-0x000000000071B000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2568-159-0x0000000000910000-0x0000000000911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-160-0x0000000003780000-0x0000000003790000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.